In this blog post, I'm going to go through the installation of the Nexus 1000v on my ESXi host. The reason I'm installing the Nexus 1000v in my lab is so that I can tag vNIC traffic with Security Group Tags (SGTs) for later labbing.

In order to install the Nexus 1000v in your lab environment, you will need to download and install vCenter prior to beginning the following steps. If this is only for a lab, I would recommend going to vmware.com and downloading at evaluation copy. I won't walk through the entire installation process for vCenter but if you would like to check out a blog that does, go here.

Starting in Nexus 1000v 5.2(1)SV3(1.1) release, the Nexus 1000v supports SGACLs and in later versions, the Nexus 1000v added additional features and improved scalability such as:

SXP Version 3 (SXPv3) support to transport IPv4 subnets to SGT bindings

SGT tagging based on subnet IP addresses - mapping an SGT to all host addresses of a specified subnet

6000 IP-SGT mappings

4000 IP-Subnet-SGT mappings

128 SGACLs

128 ACEs per SGACL

8 SXP peers

TrustSec uses the device and user information that's acquired during authentication to classify or tag packets as they enter the network. Also you may statically tag a vEth port. These packets are tagged on ingress to the network to be identified for the purpose of applying security and other policy along the data path. I'll expand on this further in the next blog post.

Let's get started on the installation of the Nexus 1000v. You may download the Nexus 1000v fils from Cisco.com as a .zip file. After you unzip the file, navigate to the Nexus1000v.5.2.x.x.x\VSM\Install\ folder and import the appropriate OVA to your ESXi host. During the import, it'll ask you to assign port groups to the interfaces and give it a management IP address.

Start the new virtual machine that was just created for the Virtual Supervisor Module (VSM) and walkthough the setup:

After this, I will create the server VLAN. I'm just going to use a single VLAN in my lab but you can put as many as you would like in. There's no special syntax to this at all:

vlan 100name ServerVLAN

Then I will create a username and password to login with in the future:

no password strength-check (Only for labbing would I use this option)username admin password networknode role network-admin

Open up a browser and navigate to the VSM IP address you just assigned. Download the cisco_nexus1000v_extension.xml

Open up your vSphere client and go to the Plug-ins on the top bar:

On the window that pops up, right-click on the whitespace and choose New Plug-in. From this page, choose the cisco_nexus1000v_extension.xml file that you previously downloaded and register the plugin. Ignore the certificate warning:

Gracefully shut down your host VMs and SSH into your ESXi host. If you have not already enabled BASH and SSH access, console to your ESXi server from the UCS CIMC (or whichever server you're using) and press F2 to configure this. After it's configured, SSH into the BASH shell.

After you are in the CLI of the ESXi host, enter into maintenance mode:esxcli system maintenanceMode set --enable true

Use WinSCP to copy the Nexus 1000v vib file to the \tmp\directory on the ESXi host. After it is copied, install the vib file from the CLI using the following command:esxcli software vib install -v /tmp/nexus1000v.vib

After it has successfully installs, exit maintenance mode:esxcli system maintenanceMode set --enable false

In the vSphere client, navigate to Hosts and Clusters>Network and view the Nexus 1000v. Highlight the Nexus 1000v switch and right-click. Choose Add Hosts.

In the add hosts screen, check the box next to your ESXi host and check the box next to the vnmic not being currently used by vSwitch0. Put it in the SYSTEM-UPLINK profile from the drop-down and click Next:

Click Next twice until this is completed.

Navigate to Hosts and Clusters and highlight your ESXi host. On the right tab, navigate to Configuration\Network\ and click the link for Add Networking

Add a VMKernel port with an IP address in the ESXi host's subnet:

Navigate back to Networking. Highlight the Nexus 1000v switch and right-click. go to Manage Hosts:

On this window, check the box next to your ESXi host and click Next:

Click Next again.

In the Network Connectivity screen, check the Destination Port group to the new VMKernal port you created to the previously created n1kv-L3 port group and click Next until the wizard is complete.

Now that you've migrated your ESXi host over, you can edit the settings of individual hosts under Host and Clusters and ensure that you have network connectivity:

Do this for all the VMs you want to add to the Nexus 1000v.

Now that the Nexus 1000v is running and is the virtual switch for our hypervisor, I'm going to add some basic configurations to it so we can start providing some basic information to ISE. Be sure to add the Network Access Device in ISE as well: